US10614225B2 - System and method for tracing data access and detecting abnormality in the same - Google Patents

System and method for tracing data access and detecting abnormality in the same Download PDF

Info

Publication number
US10614225B2
US10614225B2 US16/056,050 US201816056050A US10614225B2 US 10614225 B2 US10614225 B2 US 10614225B2 US 201816056050 A US201816056050 A US 201816056050A US 10614225 B2 US10614225 B2 US 10614225B2
Authority
US
United States
Prior art keywords
asset
dna
data
deviation
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US16/056,050
Other versions
US20180349616A1 (en
Inventor
YeeJang James Lin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DATIPHY Inc
Original Assignee
DATIPHY Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DATIPHY Inc filed Critical DATIPHY Inc
Priority to US16/056,050 priority Critical patent/US10614225B2/en
Assigned to DATIPHY INC. reassignment DATIPHY INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LIN, YEEJANG JAMES
Publication of US20180349616A1 publication Critical patent/US20180349616A1/en
Application granted granted Critical
Publication of US10614225B2 publication Critical patent/US10614225B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present invention generally relates to data security, and more specifically, relates to a system and method that detect abnormality in data access.
  • Information is becoming most valuable asset for any company in today's business world and consequently the need to protect the information is of paramount importance for every company.
  • the information owners need to know who are accessing and using the information and how the information is accessed. Only by knowing how the information is accessed, it is possible to detect abnormalities in a system through which the information is accessed.
  • the amount of data that needs to be collected and analyzed overwhelms any system designed to track and protect the data in an information system, especially when the data collected seem unrelated to each other.
  • the system of the present invention provides an easy way to trace data access and to detect abnormality related to data access.
  • the present invention provides a method for responding to a system attack, by an apparatus comprising a monitoring unit, a non-volatile computer-readable memory, and a control unit and the method comprises receiving, by the monitoring unit, a system access request, creates an event DNA for the system access request and an asset DNA for each resource associated with the system access request; records one or more deviation between one or more created asset DNAs and corresponding stored asset DNAs, quantifies risks associated with each deviation according to a user policy; and identifies a response according to the quantified risks.
  • an apparatus for identifying risks associated with information access requests in a system.
  • the apparatus comprises a network interface unit in communication with a network, a monitoring unit network in communication with the network interface and receiving information access request from the network, a control unit, and a non-volatile computer-readable memory in communication with the monitoring unit, wherein the control unit receives a system access request, creates an event DNA for the system access request and an asset DNA for each resource associated with the system access request, records one or more deviation between one or more created asset DNAs and corresponding stored asset DNAs, quantifies risks associated with each deviation according to a user policy, and identifies a response according to the quantified risks.
  • a non-transitory computer readable medium on which is stored a computer program for identifying risks associated with information access requests in a system.
  • the computer program comprises computer instructions that when executed by a computing device with a monitoring unit, a non-volatile computer-readable memory, and a control unit causes the computing device to perform the steps for receiving, by the monitoring unit, a system access request, creating an event DNA for the system access request and an asset DNA for each resource associated with the system access request, recording one or more deviation between one or more created asset DNAs and corresponding stored asset DNAs, quantifying risks associated with each deviation according to a user policy, and identifying a response according to the quantified risks.
  • FIG. 1 depicts a data access scenario 100 of multiple users accessing multiple data
  • FIG. 2 depicts a flowchart 200 of a process executed by a system for handling a new asset
  • FIG. 3 depicts a data DNA model
  • FIG. 4 illustrates an asset DNA when the asset is a user
  • FIG. 5 illustrates an asset DNA when the asset is access rules
  • FIG. 6 Illustrates an asset DNA when the asset is events
  • FIG. 7 illustrates data associated with an event DNA
  • FIG. 8 illustrates an example of a group event DNA
  • FIG. 9 depicts a flowchart of a process for monitoring activities in a system
  • FIG. 10 illustrates an apparatus according to one embodiment of the present invention.
  • FIG. 11 illustrates a flowchart 1100 for identifying an attack.
  • the term “application” as used herein is intended to encompass executable and non-executable software files, raw data, aggregated data, patches, and other code segments.
  • the term “exemplary” is meant only as an example, and does not indicate any preference for the embodiment or elements described. Further, like numerals refer to like elements throughout the several views, and the articles “a” and “the” includes plural references, unless otherwise specified in the description.
  • the terms “system” and “network” are used interchangeably and the terms “data” and “information” are also used interchangeably unless otherwise stated.
  • FIG. 1 is a simple illustration 100 of different elements involved in data access operations in a system.
  • Multiple users U n may access information stored in one or more servers S n .
  • a user U 1 may request data stored on a server S 1 through an action A 1 that follows a rule (policy) R 1 ; the user U 1 may also use the same command (action) A 1 , following the same rule R 1 , to access another data stored on another server S 2 .
  • user U 2 may request a piece of information stored on the server S 2 through a command A 2 that follows a rule R 2 .
  • the same information request from the user U 2 can also be made by invoking the command A 1 using the rule R 2 .
  • the above description reflects a common scenario in today's business world, where an employee Adam can access a design data X stored on a server S 1 while working on his computer in his office and also can continue to work, using the same design data X, from his home computer.
  • the design data X may also be accessed by another employee Bob who uses his laptop computer to access the design data X while on a business trip.
  • one piece of information may be accessed by different users at different times by different methods and one user may also access use different methods to access different data from different locations.
  • a tracking and monitoring system needs to track each action and store information associated with each action. This tracking and monitoring operation creates a huge amount of data that are related to each other.
  • the present invention introduces a concept of data DNA.
  • the data DNA is a set of data representing a data model based on the concept of molecule formed by atoms and bonds and this data mode enables users to easily describe data access, data transactions, and data activities.
  • the data DNA model also enables users to discover and manage data elements (atoms) and interactions (bonds) between them during a data access.
  • the methods based on this data DNA model enable auditing, regulating data access and access behaviors. These access behaviors can be changed by rules and actions from the users.
  • business needs for data audit, data security, data forensics, data asset management, and data analytics can be easily accomplished.
  • the data DNA model is useful to describe data, data assets, data activities, data policies, data transactions, data events, data risks, and data life cycle. Under this data DNA model, several related models can be derived, such as asset DNA, event DNA, rule DNA, etc.
  • asset DNA may be used to describe data asset, data asset group, or data asset type, in terms of atoms and bonds.
  • event DNA may be used to describe data activity or collection of data activities also in terms of atoms and bonds.
  • atom is a basic building block and may refer to assets, rules, and actions.
  • Assets may include servers, clients, users, databases, tables, columns, data signatures, conditions, errors, etc.
  • Rules are generally defined and/or configured by users.
  • Actions are also defined and/or configured by users.
  • Another basic building block is bond and bond refers to the relationships between atoms, such as the relationship between a database (DB) user and a server, a database, a client program, a data signature, rules, actions, . . . Bond may be used to detect “vibrations” in the data model and this reflects to deviations in data behavior.
  • DB database
  • assets are the building blocks to form an access and the asset may include:
  • FIG. 2 is a flowchart 200 of a process executed by a system for handling a new asset.
  • the system identifies the type of the event, step 204 , i.e., whether the event relates to a new user, an access command, an object, etc.
  • the system also determines whether the event refers to any new asset, step 206 . If the event refers to a new asset, for example, a new user, then a new set of data is created to represent this new user asset and a time of creation (modified time) is recorded, step 208 .
  • the asset may also not to be new. For example, the user may be an existing user.
  • the system checks whether there is new association associated with the asset created, step 210 .
  • An association is a relationship with other assets. If there are new associations, step 212 , for example, a user accessing records in a database never accessed before, the new associations will be created and the creation time is recorded, step 214 .
  • the asset associations may also be existing, not new. For example, a known user accessing a record that he has accessed before in a manner that he has done before; the asset and the asset associations would not be new.
  • the asset DNA for this asset is updated, step 216 , and the access time is also updated 218 .
  • Atom 302 represents a central asset for the asset DNA 300 .
  • the relationships are the links 304 between atom 302 and other atoms 306 .
  • the asset DNA 300 refers to a central asset 302 and its relationship with other assets 306 .
  • the asset DNA to forms a baseline for each individual asset and any combination of assets, also known as an asset group.
  • An asset group is a group of assets of the same asset type.
  • rules and actions in a system can also be treated like assets and this flexibility enhances the security surveillance in the system.
  • rules and action are also treated like assets. For example, access rules, content rules, signatures, behavior rules, and actions are all considered as asset DNA.
  • the asset DNA enables security surveillance to view data from different views and from perspective of different assets or combination of assets as shown in the following description for FIGS. 4-6 .
  • An application of the data DNA model for user James is an asset DNA 400 illustrated in FIG. 4 .
  • the asset DNA 400 is also known as a user DNA for user James and the central asset 402 is the database user James.
  • the user James can perform many functions within the system and thus maintains relationship with many other assets. For example, user James can access a record in a database located in a database server.
  • the command used by James is an asset 404 ; the database is another asset 406 and the database server is yet another asset 408 .
  • the action of James to access a record is an event, which is also an asset 410 .
  • each asset it is also depicted in FIG. 4 different instances of each asset.
  • asset 408 type database server
  • three instances 412 , 414 , and 416 are show.
  • Each instance represents a database server that user James 402 has accessed previously.
  • Each command previously invoked by user James 402 is also shown as an instance of the command asset 404 and each rule that applies to every access by user James 402 is also listed as instance of asset 418 for rules.
  • Asset DNA 500 shows access rule 502 as the central asset.
  • the access rule 502 may affect how database 504 and database server 506 are accessed, so there are relationship between the access rule 502 and the database 504 and the database server 506 . Errors may happen during an access, so asset error 508 is also linked to the access rule 502 and different errors are listed as instances of the asset error 508 .
  • FIG. 6 depicts an asset DNA 600 for event asset 602 .
  • an event DNA can describe one or a collection of events or data activities. By viewing the system from the data activities aspect for given time durations, it can be easily detect what other assets were involved in these event and what risks are involved.
  • an asset DNA similar to those shown in FIGS. 3-6 can be constructed.
  • this user when the new event relates to a new database user, rich@10.1.1.119, this user will have an asset DNA similar to one shown in FIG. 4 and the information related to the event detected, for example database accessed and command (sqlcmd) used, will also show up in the asset DNA for this user.
  • This asset DNA enables the system to predict what other assets this asset may have a relation (connection) and thus making easier to predict what operations harmless and what operations are suspicious. For example, if the asset DNA for user James shows that James accesses database EMP and Master and the database servers often accessed are AAA, BBB, and CCC. If user Rich is of the same user type as James, then an access by Rich to database EMP is less likely to be harmful even if Rich has never accessed database EMP before.
  • An event is formed by data DNA and these data DNA can be for data related to who (user identity), what (object), how (user method), where (user location), and when (time).
  • the data DNA can also be for a group of events, assets, rules, and actions.
  • baseline events can be derived and these baseline events are useful for detection of new and variation events.
  • the variation events are new events and/or events that with new bonds (new relations to other assets) and the variations events can be indications of attacks (malware) or indications of change in user behaviors as described in the above paragraph.
  • Critical events such as deviations from the baseline events, can be easily detected after applying proper filters. Changes in user behaviors are like DNA mutation that may be an indication of a problem but may also be an indication of a new normal. DNA mutations are candidates for further investigation by the user.
  • new asset or new association may be detected. This analysis may be done for asset DNA, event DNA, and rule DNA.
  • the DNA mutation may involve one or more variable deviations.
  • One variable mutation enables detection of a new asset or a new association. Multiple variable mutations enable detection of more than one assets or detection of new associations for multiple assets.
  • One example of a single variable mutation is an asset DNA for user James working from his home. James may use a home computer to access data in a server in his office. In this scenario, the user is known, the data has been accessed before, the server has been accessed before, and the only new variable is the location from where James is accessing the data.
  • An example of multiple variable mutations is when James accesses a new data, never accessed before, from his home computer. In this scenario, two new variables are the location and the data.
  • the data DNA modeling can detect not only anomaly or deviation, but also detect anomaly not easily detectable from one single user perspective.
  • the data DNA modeling enables an easy detection of a system wide attack even each operation may seem to be harmless. For example, if a large number of users start to access a database, at the same time, that are not listed in the database associated with their asset DNA, this may be an indication that the system is not normal and may be under attack, even if individual access of a database by one user may seem harmless. This is a situation that overloads server resources and causes denial of service. Because of the availability of asset DNA for each asset, it is now possible to predict what is normal and what can be expected even it is not shown in the asset DNA.
  • FIG. 7 is an illustration 700 of data associated with an individual event DNA.
  • the event DNA data 702 such as time of the event and connection are captured. Other data of the event are captured as well.
  • the event DNA as shown in FIG. 7 are repeated for all events detected in the system and the data related to all the events captured and stored. These data can be filtered.
  • FIG. 8 illustrates an example 800 of a group event DNA. This group event DNA is the result of filtering of previously stored data.
  • FIG. 8 is a summary of activities of a group of events in a group event DNA.
  • a group of events is a collection of events, for example of using a set to represent each event:
  • event 1 ⁇ a 1 ⁇ , ⁇ b 1 , b 2 ⁇ , ⁇ c 1 , c 2 , c 3 ⁇ , ⁇ d 1 , d 2 ⁇
  • event 2 ⁇ a 2 ⁇ , ⁇ b 2 , b 3 ⁇ , ⁇ c 2 , c 3 ⁇ , ⁇ d 1 , d 3 ⁇
  • event 3 ⁇ a 3 ⁇ , ⁇ b 1 , b 3 ⁇ , ⁇ c 3 , c 4 ⁇ , ⁇ d 4 ⁇
  • a ‘new event’ is an event set did not exist before.
  • asset sets Similar to the above event sets, a group of assets (of the same type) may be represented asset sets:
  • asset 1 ⁇ x 1 , x 2 ⁇ , ⁇ y 1 , y 2 , y 3 ⁇ , ⁇ z 1 , z 3 ⁇
  • asset 2 ⁇ x 2 , x 3 ⁇ , ⁇ y 2 ⁇ , ⁇ z 2 , z 3 ⁇
  • asset 3 ⁇ x 3 , x 4 ⁇ , ⁇ y 3 ⁇ , ⁇ z 4 ⁇
  • a ‘new asset’ is an asset element (atom) which did not exist before.
  • a ‘new asset association’ is a new member to the asset set.
  • the data DNA model of the present invention can be applied to data collected from different data accesses, such as data requests from web services, data requests from applications, and data requests to database.
  • the data can be structure data, such as database, unstructured data, such as files, semi-structured data, such as big data, cloud data, such Dropbox and Google Documents, etc.
  • the data DNA model enables data to be viewed from different perspectives, abnormalities, if not detectable from one perspective, can be detected from a different perspective. For example, an asset DNA of an user accessing a table in a database at an evening hour may seem harmless, however, another asset DNA of the access to the same table at the same time from a high number of users will review a possible system wide attack.
  • a system access can be represented by commands and data involved. From the commands involved, different data DNA can be retrieved. For example, if a request from a web application for a data on a database server, an event data representing this system access can be formed. Other data DNA can also be formed, for example, an application DNA representing the access from the web application and an asset DNA representing the database can be both formed. These asset DNAs can be compared with the asset DNA retrieved for each asset.
  • a deviation By comparing the asset DNA for each asset involved with the system access with the retrieved DNA for the corresponding asset, a deviation, if any, can be observed.
  • the deviations are used to identify any type of attacks (or virus) that may be hidden in the system requests.
  • the system access is a request from a web application to retrieve a user data and there is an anomaly from this system access
  • the asset DNA for the database and the event DNA for web application can be retrieved.
  • the event DNA from the system access is compared with these two data DNAs and their deviations noted. Anomalies are deviations from an established standard. The deviations are used to identify the type of attack that the system may be under.
  • the anomaly is identified as W5D3, for example. After knowing and identifying the deviations, the system can then proceed to find a best solution to handle this anomaly.
  • the system may have access to a database with a list of known virus or attacks and W5D3 may be listed as one of the known attacks.
  • the data DNA modeling also helps to organize the data collected in a system. Normally, the amount of the data collected is huge and it is difficult to capture the data and the relationship between one datum and other data. Because of the data DNA model captures and caches every new data DNA, the relationship between this captured datum and other data is tracked for future references, unless there is a new piece of data that forms a new relationship with this datum.
  • each asset may be assigned a risk factor according to its business value and each rule may also be assigned a risk factor according to its significance.
  • An event risk may be calculated from asset risks and rule risks.
  • FIG. 9 depicts a flowchart 900 of a process for monitoring activities in a system.
  • the system checks whether it involves a new user, step 904 . If the new event relates from a known user, the set of data representing the user DNA associated with the user is retrieved, step 906 . If the event is from a new user, a generic user DNA is created, step 908 .
  • the generic user DNA includes typical connections to common “atoms,” i. e., the generic user DNA has information on the most commonly actions performed by a similar user and most common objects of these actions. This generic user DNA can provide a general idea about the expected behavior of the new user.
  • the generic user DNA is created based on the category of the new user. If the new user is a database administrator, then the generic user DNA will have most common attributes of a database administrator DNA. If the new user is someone working on the human resource department, the generic user DNA created would be different from the generic user DNA for a database administrator.
  • the system proceeds to perform actions substantially similar to these user DNAs.
  • the system checks whether there is any new asset (atom) involved, step 910 . If the user is accessing a data that he has not accessed before, this data would be a new asset. This situation is also illustrated in FIG. 4 , when user James 402 accesses a new data EMP 420 . After detecting the event involves a new asset (a new data), the system checks whether this new asset is part of the generic user DNA, step 912 . The new asset is part of the generic user DNA if other user similar to James has accessed this asset before.
  • step 914 If the new asset is not part of the generic user DNA, then it will be recorded, step 914 , as part of the user DNA for the user.
  • the risk level associated with this event is also increased, step 916 , because of the access to a new asset not previously accessed before.
  • the system After checking whether the new asset is part of the generic user DNA, the system also check whether the method used to access this asset is new, i.e., if there is a new bond (aka, a new relationship) between user James and this new asset, step 918 . If the method is new, i.e., there is a new bond, then this method is recorded for James' user DNA, step 920 , and the risk level is further increased, step 922 . The step 918 is done by comparing the method used with the methods recorded in James' user DNA. If the event detected in step 902 is from a new user and consequently the generic user DNA is used, the checking of the new bond is done by checking the method against the methods listed in the generic user DNA, which are the most common methods used by users of similar qualifications.
  • a new bond aka, a new relationship
  • the process described in FIG. 9 is applicable for other assets, such as server, database, etc. and also helps to predict the risk level of a new asset.
  • assets such as server, database, etc.
  • a generic asset DNA can be used to predict what relationships are likely to be accepted for this new asset and consequently the risk level can be predicted.
  • FIG. 10 illustrates an apparatus 1002 according to one embodiment of the present invention.
  • the apparatus 1002 connects to a network through a network interface unit 1008 and monitors access requests, through a monitoring unit 1004 , to one or multiple data servers connected to the network.
  • the control unit 1010 checks whether the access request involves a known asset or an existing asset, i.e., whether the access request is from a known user or directed toward a known database on a known server, by checking the asset database stored in the storage unit 1020 .
  • the storage unit 1020 is a non-volatile computer-readable memory unit and may be internal or external to the apparatus 1002 .
  • the storage unit 1020 stores computer programs that, when executed by the control unit 101 , enables the apparatus 1002 to perform functions described in this specification.
  • the control unit 101 will identify from the access request all the associations for the asset and these associations are checked against the asset DNA for the asset.
  • the apparatus 1002 also includes an audit policy unit 1006 for storing audit policy entered by user through a user interface 1012 .
  • the audit policy is used by the apparatus 1002 to audit the access requests collected from the network and also stored in the storage unit 1020 . When abnormalities are detected, alerts will be issued by the control unit 1010 .
  • Apparatus 1002 of the present invention can enhance data security through the data DNA modeling.
  • the data DNA modeling enables representation of not only individual asset but also group asset.
  • the user DNA for this user is retrieved and checked. This access may be done by a known user to a data that he has accessed before, so no alert is noted. The same access can also be view from the database server perspective.
  • the database server DNA for the database server can be retrieved and checked. If the database server DNA shows multiple users accessing the same data at the same evening hour, this may be an indication of something abnormal even if, individually, all the accesses are seemingly normal. This is an illustration of a view from a single asset's perspective may not detect any problem but a view from another asset's perspective may indicate a hidden attack.
  • FIG. 11 illustrates a flowchart 1100 for identifying an attack.
  • a system access for example a user making a data access from a database application
  • an event DNA is created and associated with this event, step 1104 .
  • Other asset DNAs for each asset involved are also created and these asset DNAs and the event DNA are recorded, step 1106 .
  • a database DNA for the human resource database is created and a server DNA for the server where the human resource database is stored is also created.
  • Each event DNA and asset DNA is assigned an identification.
  • Each newly created asset DNA is compared with previously stored asset DNAs for that asset, step 1108 .
  • the user DNA for the user is compared with the stored user DNA for the particular user and the database DNA is compared with the stored database DNA for that particular database. If there is anomaly associated with this database DNA, the deviation between this database DNA and the previously stored database DNA is noted, step 1110 . Deviations from other comparisons are also detected and stored. The deviation from a system access may trigger policy actions if the deviation violates a policy, step 1112 . The deviations are recorded, step 1114 .
  • An attack typically takes place in several events and each event may lead to deviation of many asset DNAs of many asset types.
  • a risk management system can devised using the present invention.
  • the risk management system quantifies aggregated risk from deviation of each asset DNA of each asset type according to user-defined policy rules, step 1116 , and after all deviations are detected and identified, the system can identify the attack that is affecting the system, step 1118 .
  • the deviations that forms this aggregated risk serve as a signature of the attack and the identification of the type of the attack. If the attack is known, step 1120 , because all the deviations are known, the system may have access to a counter measure to this attack, step 1122 . If the attack is new and previously unknown, the system alerts the system administrator, step 1124 , who can take proper action.
  • rule DNA could also be used to model the relation for a given rule and associated assets and managed by the risk management system.
  • a single deviation may not trigger any alert on the system but deviations detected by many different asset DNAs can be an indication of an attack.
  • the system can determine the triggering conditions through policies and rules.
  • the risk management system based on the present invention can compute risk from:
  • each risk is computed by comparing a deviation with a predefined trigger level defined by a risk policy.
  • Each individual risk may not exceed a predefined risk level and raise the alarm but the aggregated risk may cause the alarm.
  • FIGS. 2, 9, and 11 can be achieved by the control unit executing computer programs stored in the storage unit 1020 . Furthermore, in the context of FIGS. 2, 9, and 11 , the steps illustrated do not require or imply any particular order of actions. The actions may be executed in sequence or in parallel.
  • the method may be implemented, for example, by operating portion(s) of a network device, such as a network router or network server, to execute a sequence of machine-readable instructions.
  • the instructions can reside in various types of signal-bearing or data storage primary, secondary, or tertiary media.
  • the media may comprise, for example, RAM (not shown) accessible by, or residing within, the components of the network device.
  • the instructions may be stored on a variety of machine-readable data storage media, such as DASD storage (e.g., a conventional “hard drive” or a RAID array), magnetic tape, electronic read-only memory (e.g., ROM, EPROM, or EEPROM), flash memory cards, an optical storage device (e.g. CD-ROM, WORM, DVD, digital optical tape), paper “punch” cards, or other suitable data storage media including digital and analog transmission media.
  • DASD storage e.g., a conventional “hard drive” or a RAID array
  • magnetic tape e.g., magnetic tape
  • electronic read-only memory e.g., ROM, EPROM, or EEPROM
  • flash memory cards e.g., an optical storage device
  • an optical storage device e.g. CD-ROM, WORM, DVD, digital optical tape
  • paper “punch” cards e.g. CD-ROM, WORM, DVD, digital optical tape
  • the instructions when executed by a computer will enable the computer
  • the units illustrated in FIG. 10 are described based on their function and these units may have different physical implementation, such as the units may be combined or implemented in one or more computers.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Data DNA modeling is used to represent data and the relationship this data has with other data. When an information access request from a user is detected, an asset DNA associated with the user is retrieved and analyzed against the information access request. Using the asset DNA, it can be determined whether the information access request is a normal request or a suspicious request. If the user is unknown, a generic asset DNA can be created and populated with the data from the information access request. The system checks the newly created asset DNA against other similar asset DNA to determine whether there is any abnormality associated with this newly created asset DNA.

Description

BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention generally relates to data security, and more specifically, relates to a system and method that detect abnormality in data access.
2. Description of the Related Art
Information is becoming most valuable asset for any company in today's business world and consequently the need to protect the information is of paramount importance for every company. Before the information can be protected, the information owners need to know who are accessing and using the information and how the information is accessed. Only by knowing how the information is accessed, it is possible to detect abnormalities in a system through which the information is accessed. However, with millions of data access requests that go through the system each day, the amount of data that needs to be collected and analyzed overwhelms any system designed to track and protect the data in an information system, especially when the data collected seem unrelated to each other.
Therefore, there is a need for a system and method that correlate collected data and detect abnormality in data access transactions, and it is to this system the present invention is primarily directed to.
SUMMARY OF THE INVENTION
The system of the present invention provides an easy way to trace data access and to detect abnormality related to data access. In one embodiment, the present invention provides a method for responding to a system attack, by an apparatus comprising a monitoring unit, a non-volatile computer-readable memory, and a control unit and the method comprises receiving, by the monitoring unit, a system access request, creates an event DNA for the system access request and an asset DNA for each resource associated with the system access request; records one or more deviation between one or more created asset DNAs and corresponding stored asset DNAs, quantifies risks associated with each deviation according to a user policy; and identifies a response according to the quantified risks.
In another embodiment, there is provided an apparatus, for identifying risks associated with information access requests in a system. The apparatus comprises a network interface unit in communication with a network, a monitoring unit network in communication with the network interface and receiving information access request from the network, a control unit, and a non-volatile computer-readable memory in communication with the monitoring unit, wherein the control unit receives a system access request, creates an event DNA for the system access request and an asset DNA for each resource associated with the system access request, records one or more deviation between one or more created asset DNAs and corresponding stored asset DNAs, quantifies risks associated with each deviation according to a user policy, and identifies a response according to the quantified risks.
In yet another embodiment, there is also provided a non-transitory computer readable medium on which is stored a computer program for identifying risks associated with information access requests in a system. The computer program comprises computer instructions that when executed by a computing device with a monitoring unit, a non-volatile computer-readable memory, and a control unit causes the computing device to perform the steps for receiving, by the monitoring unit, a system access request, creating an event DNA for the system access request and an asset DNA for each resource associated with the system access request, recording one or more deviation between one or more created asset DNAs and corresponding stored asset DNAs, quantifying risks associated with each deviation according to a user policy, and identifying a response according to the quantified risks.
The present system and methods are therefore advantageous as they enable identification of abnormality in data access from a system's perspective. Other advantages and features of the present invention will become apparent after review of the hereinafter set forth Brief Description of the Drawings, Detailed Description of the Invention, and the Claims.
BRIEF DESCRIPTION OF THE DRAWINGS
Features and advantages of embodiments of the invention will become apparent as the following detailed description proceeds, and upon reference to the drawings, where like numerals depict like elements, and in which:
FIG. 1 depicts a data access scenario 100 of multiple users accessing multiple data;
FIG. 2 depicts a flowchart 200 of a process executed by a system for handling a new asset;
FIG. 3 depicts a data DNA model;
FIG. 4 illustrates an asset DNA when the asset is a user;
FIG. 5 illustrates an asset DNA when the asset is access rules;
FIG. 6. Illustrates an asset DNA when the asset is events;
FIG. 7 illustrates data associated with an event DNA;
FIG. 8 illustrates an example of a group event DNA;
FIG. 9 depicts a flowchart of a process for monitoring activities in a system;
FIG. 10 illustrates an apparatus according to one embodiment of the present invention; and
FIG. 11 illustrates a flowchart 1100 for identifying an attack.
 DETAIL DESCRIPTION OF THE INVENTION
In this description, the term “application” as used herein is intended to encompass executable and non-executable software files, raw data, aggregated data, patches, and other code segments. The term “exemplary” is meant only as an example, and does not indicate any preference for the embodiment or elements described. Further, like numerals refer to like elements throughout the several views, and the articles “a” and “the” includes plural references, unless otherwise specified in the description. The terms “system” and “network” are used interchangeably and the terms “data” and “information” are also used interchangeably unless otherwise stated.
In an overview, the present invention provides a system and method for correlating data collected in a system and identifying abnormalities in data access to the system. FIG. 1 is a simple illustration 100 of different elements involved in data access operations in a system. Multiple users Un may access information stored in one or more servers Sn. A user U1 may request data stored on a server S1 through an action A1 that follows a rule (policy) R1; the user U1 may also use the same command (action) A1, following the same rule R1, to access another data stored on another server S2. Similarly, user U2 may request a piece of information stored on the server S2 through a command A2 that follows a rule R2. The same information request from the user U2 can also be made by invoking the command A1 using the rule R2.
The above description reflects a common scenario in today's business world, where an employee Adam can access a design data X stored on a server S1 while working on his computer in his office and also can continue to work, using the same design data X, from his home computer. The design data X may also be accessed by another employee Bob who uses his laptop computer to access the design data X while on a business trip.
As illustrated, in today's business world, one piece of information may be accessed by different users at different times by different methods and one user may also access use different methods to access different data from different locations. In order to track the information related to these data access, a tracking and monitoring system needs to track each action and store information associated with each action. This tracking and monitoring operation creates a huge amount of data that are related to each other.
To easily track and understand the data collected by the tracking and monitoring system, the present invention introduces a concept of data DNA. The data DNA is a set of data representing a data model based on the concept of molecule formed by atoms and bonds and this data mode enables users to easily describe data access, data transactions, and data activities. The data DNA model also enables users to discover and manage data elements (atoms) and interactions (bonds) between them during a data access. The methods based on this data DNA model enable auditing, regulating data access and access behaviors. These access behaviors can be changed by rules and actions from the users. By using the methods of the present invention, business needs for data audit, data security, data forensics, data asset management, and data analytics can be easily accomplished.
The data DNA model is useful to describe data, data assets, data activities, data policies, data transactions, data events, data risks, and data life cycle. Under this data DNA model, several related models can be derived, such as asset DNA, event DNA, rule DNA, etc. The asset DNA may be used to describe data asset, data asset group, or data asset type, in terms of atoms and bonds. The event DNA may be used to describe data activity or collection of data activities also in terms of atoms and bonds.
In the data DNA model, atom is a basic building block and may refer to assets, rules, and actions. Assets may include servers, clients, users, databases, tables, columns, data signatures, conditions, errors, etc. Rules are generally defined and/or configured by users. Actions are also defined and/or configured by users. Another basic building block is bond and bond refers to the relationships between atoms, such as the relationship between a database (DB) user and a server, a database, a client program, a data signature, rules, actions, . . . Bond may be used to detect “vibrations” in the data model and this reflects to deviations in data behavior.
Under the data DNA model, a clear and concise understanding of data can be achieved easily and data can also be easily managed. In the data DNA model, assets are the building blocks to form an access and the asset may include:
    • Servers, Clients
    • App User, DB Users, Programs, OS Accounts, Client Hosts, Language, Charset
    • Method—Commands and Command Statement
    • Read, write, select, insert, update, exec, etc.
    • Objects—Data Containers, DB, Tables, Columns, Conditions
    • Contents—signatures, patterns
    • Results—outputs and Errors
    • Policies—defined by users
    • Actions—defined by users
    • Groups—defined by users
Asset DNAs are formed by a “central” asset and associations with other assets. FIG. 2 is a flowchart 200 of a process executed by a system for handling a new asset. When an event is detected, step 202, the system identifies the type of the event, step 204, i.e., whether the event relates to a new user, an access command, an object, etc. The system also determines whether the event refers to any new asset, step 206. If the event refers to a new asset, for example, a new user, then a new set of data is created to represent this new user asset and a time of creation (modified time) is recorded, step 208. The asset may also not to be new. For example, the user may be an existing user. After the asset is created, the system checks whether there is new association associated with the asset created, step 210. An association is a relationship with other assets. If there are new associations, step 212, for example, a user accessing records in a database never accessed before, the new associations will be created and the creation time is recorded, step 214. The asset associations may also be existing, not new. For example, a known user accessing a record that he has accessed before in a manner that he has done before; the asset and the asset associations would not be new. After the asset is identified and new associations are identified, the asset DNA for this asset is updated, step 216, and the access time is also updated 218.
The Data DNA model for the asset DNA 300 can be easily visualized with a model shown in FIG. 3. Atom 302 represents a central asset for the asset DNA 300. The relationships are the links 304 between atom 302 and other atoms 306. The asset DNA 300 refers to a central asset 302 and its relationship with other assets 306.
The asset DNA to forms a baseline for each individual asset and any combination of assets, also known as an asset group. An asset group is a group of assets of the same asset type. By auditing changes of asset DNA, anomalies such as new associations and new assets can be easily detected. Rules and actions in a system can also be treated like assets and this flexibility enhances the security surveillance in the system. Under the asset DNA, rules and action are also treated like assets. For example, access rules, content rules, signatures, behavior rules, and actions are all considered as asset DNA. The asset DNA enables security surveillance to view data from different views and from perspective of different assets or combination of assets as shown in the following description for FIGS. 4-6.
An application of the data DNA model for user James is an asset DNA 400 illustrated in FIG. 4. The asset DNA 400 is also known as a user DNA for user James and the central asset 402 is the database user James. The user James can perform many functions within the system and thus maintains relationship with many other assets. For example, user James can access a record in a database located in a database server. The command used by James is an asset 404; the database is another asset 406 and the database server is yet another asset 408. The action of James to access a record is an event, which is also an asset 410.
It is also depicted in FIG. 4 different instances of each asset. For example, for asset 408 (type database server), three instances 412, 414, and 416 are show. Each instance represents a database server that user James 402 has accessed previously. Each command previously invoked by user James 402 is also shown as an instance of the command asset 404 and each rule that applies to every access by user James 402 is also listed as instance of asset 418 for rules. Now, if James 402 uses a previously a new command 424, update-23, to update a data EMP 420, which resides on a previously accessed MySQL server 412, the new command 424 will be added to the list of the commands 404 used by James 402 and the data EMP 420 will also be included into the list of the data accessed by James 420. By using this data DNA model, the user DNA for James does not change but the user DNA for James is updated with new assets (atoms) that are now known to James.
This data DNA model is versatile and can be easily used to represent another asset DNA for a different asset as shown in FIG. 5. Asset DNA 500 shows access rule 502 as the central asset. The access rule 502 may affect how database 504 and database server 506 are accessed, so there are relationship between the access rule 502 and the database 504 and the database server 506. Errors may happen during an access, so asset error 508 is also linked to the access rule 502 and different errors are listed as instances of the asset error 508.
FIG. 6 depicts an asset DNA 600 for event asset 602. When an event is detected by the system and the system identifies the event is from a user accessing a database. The system checks whether the user is a known user or a new user. The system checks the user identification against the instances 604 of users from the user asset 606. When the system realizes that the user identification is not listed as one of known instances 604 of the user asset 606, a new instance 608 is created. The system also checks whether the object of the event (database access) is located in a known database 610. When the system realizes the object is not listed as a known instance 612, a new instance 614 in the database asset 610 is created for the object of the access. As shown in FIG. 6, an event DNA can describe one or a collection of events or data activities. By viewing the system from the data activities aspect for given time durations, it can be easily detect what other assets were involved in these event and what risks are involved.
For each asset, an asset DNA similar to those shown in FIGS. 3-6 can be constructed. For example, from FIG. 6, when the new event relates to a new database user, rich@10.1.1.119, this user will have an asset DNA similar to one shown in FIG. 4 and the information related to the event detected, for example database accessed and command (sqlcmd) used, will also show up in the asset DNA for this user. This asset DNA enables the system to predict what other assets this asset may have a relation (connection) and thus making easier to predict what operations harmless and what operations are suspicious. For example, if the asset DNA for user James shows that James accesses database EMP and Master and the database servers often accessed are AAA, BBB, and CCC. If user Rich is of the same user type as James, then an access by Rich to database EMP is less likely to be harmful even if Rich has never accessed database EMP before.
The determination of whether an event is harmful as described above is possible because of the data DNA modeling applied to events. An event (Event DNA) is formed by data DNA and these data DNA can be for data related to who (user identity), what (object), how (user method), where (user location), and when (time). The data DNA can also be for a group of events, assets, rules, and actions. From a collection of events, baseline events can be derived and these baseline events are useful for detection of new and variation events. The variation events are new events and/or events that with new bonds (new relations to other assets) and the variations events can be indications of attacks (malware) or indications of change in user behaviors as described in the above paragraph. Critical events, such as deviations from the baseline events, can be easily detected after applying proper filters. Changes in user behaviors are like DNA mutation that may be an indication of a problem but may also be an indication of a new normal. DNA mutations are candidates for further investigation by the user.
By analyzing DNA mutations, for example analysis of asset deviation, new asset or new association may be detected. This analysis may be done for asset DNA, event DNA, and rule DNA. The DNA mutation may involve one or more variable deviations. One variable mutation enables detection of a new asset or a new association. Multiple variable mutations enable detection of more than one assets or detection of new associations for multiple assets. One example of a single variable mutation is an asset DNA for user James working from his home. James may use a home computer to access data in a server in his office. In this scenario, the user is known, the data has been accessed before, the server has been accessed before, and the only new variable is the location from where James is accessing the data. An example of multiple variable mutations is when James accesses a new data, never accessed before, from his home computer. In this scenario, two new variables are the location and the data.
The data DNA modeling can detect not only anomaly or deviation, but also detect anomaly not easily detectable from one single user perspective. The data DNA modeling enables an easy detection of a system wide attack even each operation may seem to be harmless. For example, if a large number of users start to access a database, at the same time, that are not listed in the database associated with their asset DNA, this may be an indication that the system is not normal and may be under attack, even if individual access of a database by one user may seem harmless. This is a situation that overloads server resources and causes denial of service. Because of the availability of asset DNA for each asset, it is now possible to predict what is normal and what can be expected even it is not shown in the asset DNA.
FIG. 7 is an illustration 700 of data associated with an individual event DNA. The event DNA data 702 such as time of the event and connection are captured. Other data of the event are captured as well. The event DNA as shown in FIG. 7 are repeated for all events detected in the system and the data related to all the events captured and stored. These data can be filtered. FIG. 8 illustrates an example 800 of a group event DNA. This group event DNA is the result of filtering of previously stored data. FIG. 8 is a summary of activities of a group of events in a group event DNA. A group of events is a collection of events, for example of using a set to represent each event:
event1={{a1}, {b1, b2}, {c1, c2, c3}, {d1, d2}}
event2={{a2}, {b2, b3}, {c2, c3}, {d1, d3}}
event3={{a3}, {b1, b3}, {c3, c4}, {d4}}
where {a1, a2, a3, . . . an}, {b1, b2, b3 . . . bn}, {c1, c2, . . . cn}, and {d1, d2, . . . dn}, each represents a set of assets of the same type.
A group event of event1, event2, and event3 is a union of the above event sets, {event1, event2, event3}={{a1, a2, a3}, {b1, b2, b3,}, {c1, c2, c3, c4}, {d1, d2, d3, d4}}. A ‘new event’ is an event set did not exist before.
Similar to the above event sets, a group of assets (of the same type) may be represented asset sets:
asset1={{x1, x2}, {y1, y2, y3}, {z1, z3}}
asset2={{x2, x3}, {y2}, {z2, z3}}
asset3={{x3, x4}, {y3}, {z4}}
where {x1, x2, x3, . . . an}, {y1, y2, y3 . . . bn}, and {z1, z2, . . . zn}, each represents a set of assets of the same type.
A group asset of asset1, asset2, and asset3 is a union of the above asset sets: {asset1, asset2, asset3}={{x1, x2, x3, x4}, {y1, y2, y3}, {z1, z2, z3, z4}}. A ‘new asset’ is an asset element (atom) which did not exist before. A ‘new asset association’ is a new member to the asset set.
The data DNA model of the present invention can be applied to data collected from different data accesses, such as data requests from web services, data requests from applications, and data requests to database. The data can be structure data, such as database, unstructured data, such as files, semi-structured data, such as big data, cloud data, such Dropbox and Google Documents, etc. Because the data DNA model enables data to be viewed from different perspectives, abnormalities, if not detectable from one perspective, can be detected from a different perspective. For example, an asset DNA of an user accessing a table in a database at an evening hour may seem harmless, however, another asset DNA of the access to the same table at the same time from a high number of users will review a possible system wide attack. Normally, a system access can be represented by commands and data involved. From the commands involved, different data DNA can be retrieved. For example, if a request from a web application for a data on a database server, an event data representing this system access can be formed. Other data DNA can also be formed, for example, an application DNA representing the access from the web application and an asset DNA representing the database can be both formed. These asset DNAs can be compared with the asset DNA retrieved for each asset.
By comparing the asset DNA for each asset involved with the system access with the retrieved DNA for the corresponding asset, a deviation, if any, can be observed. The deviations are used to identify any type of attacks (or virus) that may be hidden in the system requests. In the example above, if the system access is a request from a web application to retrieve a user data and there is an anomaly from this system access, the asset DNA for the database and the event DNA for web application can be retrieved. The event DNA from the system access is compared with these two data DNAs and their deviations noted. Anomalies are deviations from an established standard. The deviations are used to identify the type of attack that the system may be under. If the deviation from the asset DNA for the database is type D3 and the deviation from the event DNA for the web application is W5, then the anomaly is identified as W5D3, for example. After knowing and identifying the deviations, the system can then proceed to find a best solution to handle this anomaly. The system may have access to a database with a list of known virus or attacks and W5D3 may be listed as one of the known attacks.
The data DNA modeling also helps to organize the data collected in a system. Normally, the amount of the data collected is huge and it is difficult to capture the data and the relationship between one datum and other data. Because of the data DNA model captures and caches every new data DNA, the relationship between this captured datum and other data is tracked for future references, unless there is a new piece of data that forms a new relationship with this datum.
The data DNA model makes easy to support risk management application. For example, each asset may be assigned a risk factor according to its business value and each rule may also be assigned a risk factor according to its significance. An event risk may be calculated from asset risks and rule risks.
FIG. 9 depicts a flowchart 900 of a process for monitoring activities in a system. When a new event is detected, step 902, the system checks whether it involves a new user, step 904. If the new event relates from a known user, the set of data representing the user DNA associated with the user is retrieved, step 906. If the event is from a new user, a generic user DNA is created, step 908. The generic user DNA includes typical connections to common “atoms,” i. e., the generic user DNA has information on the most commonly actions performed by a similar user and most common objects of these actions. This generic user DNA can provide a general idea about the expected behavior of the new user. The generic user DNA is created based on the category of the new user. If the new user is a database administrator, then the generic user DNA will have most common attributes of a database administrator DNA. If the new user is someone working on the human resource department, the generic user DNA created would be different from the generic user DNA for a database administrator.
After the user DNA is either retrieved for the known user or created for a new user, the system proceeds to perform actions substantially similar to these user DNAs. The system checks whether there is any new asset (atom) involved, step 910. If the user is accessing a data that he has not accessed before, this data would be a new asset. This situation is also illustrated in FIG. 4, when user James 402 accesses a new data EMP 420. After detecting the event involves a new asset (a new data), the system checks whether this new asset is part of the generic user DNA, step 912. The new asset is part of the generic user DNA if other user similar to James has accessed this asset before. If the new asset is not part of the generic user DNA, then it will be recorded, step 914, as part of the user DNA for the user. The risk level associated with this event is also increased, step 916, because of the access to a new asset not previously accessed before.
After checking whether the new asset is part of the generic user DNA, the system also check whether the method used to access this asset is new, i.e., if there is a new bond (aka, a new relationship) between user James and this new asset, step 918. If the method is new, i.e., there is a new bond, then this method is recorded for James' user DNA, step 920, and the risk level is further increased, step 922. The step 918 is done by comparing the method used with the methods recorded in James' user DNA. If the event detected in step 902 is from a new user and consequently the generic user DNA is used, the checking of the new bond is done by checking the method against the methods listed in the generic user DNA, which are the most common methods used by users of similar qualifications.
The process described in FIG. 9 is applicable for other assets, such as server, database, etc. and also helps to predict the risk level of a new asset. When a new asset is detected, a generic asset DNA can be used to predict what relationships are likely to be accepted for this new asset and consequently the risk level can be predicted.
FIG. 10 illustrates an apparatus 1002 according to one embodiment of the present invention. The apparatus 1002 connects to a network through a network interface unit 1008 and monitors access requests, through a monitoring unit 1004, to one or multiple data servers connected to the network. When an access request is detected, the control unit 1010 checks whether the access request involves a known asset or an existing asset, i.e., whether the access request is from a known user or directed toward a known database on a known server, by checking the asset database stored in the storage unit 1020. The storage unit 1020 is a non-volatile computer-readable memory unit and may be internal or external to the apparatus 1002. The storage unit 1020 stores computer programs that, when executed by the control unit 101, enables the apparatus 1002 to perform functions described in this specification. The control unit 101 will identify from the access request all the associations for the asset and these associations are checked against the asset DNA for the asset. The apparatus 1002 also includes an audit policy unit 1006 for storing audit policy entered by user through a user interface 1012. The audit policy is used by the apparatus 1002 to audit the access requests collected from the network and also stored in the storage unit 1020. When abnormalities are detected, alerts will be issued by the control unit 1010.
Apparatus 1002 of the present invention can enhance data security through the data DNA modeling. The data DNA modeling enables representation of not only individual asset but also group asset. When a user accesses a data in a database server from his residence at a night time, the user DNA for this user is retrieved and checked. This access may be done by a known user to a data that he has accessed before, so no alert is noted. The same access can also be view from the database server perspective. The database server DNA for the database server can be retrieved and checked. If the database server DNA shows multiple users accessing the same data at the same evening hour, this may be an indication of something abnormal even if, individually, all the accesses are seemingly normal. This is an illustration of a view from a single asset's perspective may not detect any problem but a view from another asset's perspective may indicate a hidden attack.
The present invention helps a system to identify attacks when anomalies are detected in the system. An attack can be identified by the anomalies detected and the system can devise a proper response when the attack is identified. FIG. 11 illustrates a flowchart 1100 for identifying an attack. When a system access, for example a user making a data access from a database application, is detected, step 1102, an event DNA is created and associated with this event, step 1104. Other asset DNAs for each asset involved are also created and these asset DNAs and the event DNA are recorded, step 1106. For example, if the user retrieves an employee information from a human resource department database, a database DNA for the human resource database is created and a server DNA for the server where the human resource database is stored is also created. Each event DNA and asset DNA is assigned an identification.
Each newly created asset DNA is compared with previously stored asset DNAs for that asset, step 1108. For example, the user DNA for the user is compared with the stored user DNA for the particular user and the database DNA is compared with the stored database DNA for that particular database. If there is anomaly associated with this database DNA, the deviation between this database DNA and the previously stored database DNA is noted, step 1110. Deviations from other comparisons are also detected and stored. The deviation from a system access may trigger policy actions if the deviation violates a policy, step 1112. The deviations are recorded, step 1114.
Because of availability of stored user DNAs, it is possible to know whether a particular action by a user is normal, i.e., part of the user's DNA. If the user has accessed the human resource department's database before, then this particular access would not trigger any concern. However, if the previous accesses were from his office and now this access is from a computer from a library, then this deviation may trigger some concern.
An attack typically takes place in several events and each event may lead to deviation of many asset DNAs of many asset types. A risk management system can devised using the present invention. The risk management system quantifies aggregated risk from deviation of each asset DNA of each asset type according to user-defined policy rules, step 1116, and after all deviations are detected and identified, the system can identify the attack that is affecting the system, step 1118. The deviations that forms this aggregated risk serve as a signature of the attack and the identification of the type of the attack. If the attack is known, step 1120, because all the deviations are known, the system may have access to a counter measure to this attack, step 1122. If the attack is new and previously unknown, the system alerts the system administrator, step 1124, who can take proper action.
By the same deviation method of event DNA and asset DNA, rule DNA could also be used to model the relation for a given rule and associated assets and managed by the risk management system. In many situations, a single deviation may not trigger any alert on the system but deviations detected by many different asset DNAs can be an indication of an attack. The system can determine the triggering conditions through policies and rules.
The risk management system based on the present invention can compute risk from:
    • Rule Risk Level
    • Asset Sensitivity Level
    • Risk of New Asset DNA according to Asset Type
    • Risk of New Asset Association according to Asset Type
    • Risk of New Rule DNA
    • Risk of New Rule Association
    • Risk of New Event DNA
Actions can be assigned according to the aggregated risk, and the aggregated risk may be computed from user defined formula, for example:
Risk=Sum ($RuleRisk)+Sum ($AssetRisk)+Sum ($NewAssetDNARisk)+Sum($NewAssetAssociation)+Sum($NewRuleDNARisk)+Sum($NewRuleAssociation)+Sum($newEventDNA)
If each risk is computed by comparing a deviation with a predefined trigger level defined by a risk policy. Each individual risk may not exceed a predefined risk level and raise the alarm but the aggregated risk may cause the alarm.
The steps illustrated by FIGS. 2, 9, and 11 can be achieved by the control unit executing computer programs stored in the storage unit 1020. Furthermore, in the context of FIGS. 2, 9, and 11, the steps illustrated do not require or imply any particular order of actions. The actions may be executed in sequence or in parallel. The method may be implemented, for example, by operating portion(s) of a network device, such as a network router or network server, to execute a sequence of machine-readable instructions. The instructions can reside in various types of signal-bearing or data storage primary, secondary, or tertiary media. The media may comprise, for example, RAM (not shown) accessible by, or residing within, the components of the network device. Whether contained in RAM, a diskette, or other secondary storage media, the instructions may be stored on a variety of machine-readable data storage media, such as DASD storage (e.g., a conventional “hard drive” or a RAID array), magnetic tape, electronic read-only memory (e.g., ROM, EPROM, or EEPROM), flash memory cards, an optical storage device (e.g. CD-ROM, WORM, DVD, digital optical tape), paper “punch” cards, or other suitable data storage media including digital and analog transmission media. The instructions when executed by a computer will enable the computer to perform the steps illustrated in FIGS. 2, 9, and 11.
The units illustrated in FIG. 10 are described based on their function and these units may have different physical implementation, such as the units may be combined or implemented in one or more computers.
While the invention has been particularly shown and described with reference to a preferred embodiment thereof, it will be understood by those skilled in the art that various changes in form and detail may be made without departing from the spirit and scope of the present invention as set forth in the following claims. Furthermore, although elements of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated. The combinations of different features described in different embodiments in this specification are foreseeable and within the scope of the invention.

Claims (17)

What is claimed is:
1. A method for responding to a system attack, by an apparatus comprising a monitoring unit, a non-volatile computer-readable memory, and a control unit, comprising:
receiving, by the monitoring unit, a system access request;
creating an event DNA for the system access request and an asset DNA for each resource associated with the system access request;
recording one or more deviation between one or more created asset DNAs and corresponding stored asset DNAs;
quantifying risks associated with each deviation according to a user policy;
aggregating the quantified risks into an aggregated risk;
identifying type of the system attack according to the aggregated risk; and
if the system attack is known, identifying a response according to the aggregated risk,
wherein each quantified risk for a created asset DNA is computed by comparing a deviation from a stored asset DNA.
2. The method of claim 1, further comprising
assigning a signature for the aggregated risk to identity the system attack.
3. The method of claim 2, further comprising determining whether the system attack is known by comparing the one or more deviation to previous known attacks.
4. The method of claim 1, further comprising recording the one or more deviation.
5. The method of claim 1, further comprising setting an alert if the type of the system attack is previously unknown.
6. The method of claim 1, further comprising setting an alert if more than one deviation is recorded.
7. An apparatus, for identifying risks associated with information access requests in a system, comprising:
a network interface unit in communication with a network;
a monitoring unit network in communication with the network interface and receiving information access request from the network;
a control unit; and
a non-volatile computer-readable memory in communication with the monitoring unit,
wherein
the control unit
receives a system access request,
creates an event DNA for the system access request and an asset DNA for each resource associated with the system access request,
records one or more deviation between one or more created asset DNAs and corresponding stored asset DNAs,
quantifies risks associated with each deviation according to a user policy,
aggregates the quantified risks into an aggregated risk,
identifying type of the system attack according to the aggregated risk; and
if the system attack is known, identifies a response according to the aggregated risk,
wherein each quantified risk for a created asset DNA is computed by comparing a deviation from a stored asset DNA.
8. The apparatus of claim 7, wherein the control unit further
assigns a signature for the aggregated risk to identity the system attack.
9. The apparatus of claim 8, wherein the control unit further determines whether the system attack is known by comparing the one or more deviation to previous known attacks.
10. The apparatus of claim 7, wherein the control unit further records the one or more deviation.
11. The apparatus of claim 7, wherein the control unit further sets an alert if the type of the system attack is previously unknown.
12. The apparatus of claim 7, wherein the control unit further sets an alert if more than one deviation is recorded.
13. A non-transitory computer readable medium on which is stored a computer program for identifying risks associated with information access requests in a system, the computer program comprising computer instructions that when executed by a computing device with a monitoring unit, a non-volatile computer-readable memory, and a control unit causes the computing device to perform the steps for:
receiving, by the monitoring unit, a system access request;
creating an event DNA for the system access request and an asset DNA for each resource associated with the system access request;
recording one or more deviation between one or more created asset DNAs and corresponding stored asset DNAs;
quantifying risks associated with each deviation according to a user policy;
aggregating the quantified risks into an aggregated risk;
identifying type of the system attack according to the aggregated risk; and
if the system attack is known, identifying a response according to the aggregated risk,
wherein each quantified risk for a created asset DNA is computed by comparing a deviation from a stored asset DNA.
14. The computer instructions of claim 13 further causes the computer device to perform the steps for
assigning a signature for the aggregated risk to identity the system attack.
15. The computer instructions of claim 13 further causes the computer device to perform the step for determining whether the system attack is known by comparing the one or more deviation to previous known attacks.
16. The computer instructions of claim 13 further causes the computer device to perform the step for recording the one or more deviation.
17. The computer instructions of claim 13 further causes the computer device to perform the step for setting an alert if the type of the system attack is previously unknown.
US16/056,050 2016-01-07 2018-08-06 System and method for tracing data access and detecting abnormality in the same Active US10614225B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/056,050 US10614225B2 (en) 2016-01-07 2018-08-06 System and method for tracing data access and detecting abnormality in the same

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/990,399 US10068094B2 (en) 2016-01-07 2016-01-07 System and method for tracing data access and detecting abnormality in the same
US16/056,050 US10614225B2 (en) 2016-01-07 2018-08-06 System and method for tracing data access and detecting abnormality in the same

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/990,399 Continuation US10068094B2 (en) 2016-01-07 2016-01-07 System and method for tracing data access and detecting abnormality in the same

Publications (2)

Publication Number Publication Date
US20180349616A1 US20180349616A1 (en) 2018-12-06
US10614225B2 true US10614225B2 (en) 2020-04-07

Family

ID=59274914

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/990,399 Active 2036-09-04 US10068094B2 (en) 2016-01-07 2016-01-07 System and method for tracing data access and detecting abnormality in the same
US16/056,050 Active US10614225B2 (en) 2016-01-07 2018-08-06 System and method for tracing data access and detecting abnormality in the same

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/990,399 Active 2036-09-04 US10068094B2 (en) 2016-01-07 2016-01-07 System and method for tracing data access and detecting abnormality in the same

Country Status (1)

Country Link
US (2) US10068094B2 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10419460B2 (en) * 2017-07-21 2019-09-17 Oath, Inc. Method and system for detecting abnormal online user activity
US10803192B2 (en) * 2018-04-08 2020-10-13 Imperva, Inc. Detecting attacks on databases based on transaction characteristics determined from analyzing database logs
US12093414B1 (en) * 2019-12-09 2024-09-17 Amazon Technologies, Inc. Efficient detection of in-memory data accesses and context information
CN114510738B (en) * 2021-12-31 2024-08-23 华能烟台八角热电有限公司 Data use risk assessment method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120197847A1 (en) * 2009-10-20 2012-08-02 Zte Corporation Method and System for Monitoring and Tracing Multimedia Resource Transmission
US8584219B1 (en) * 2012-11-07 2013-11-12 Fmr Llc Risk adjusted, multifactor authentication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10027711B2 (en) * 2009-11-20 2018-07-17 Alert Enterprise, Inc. Situational intelligence
US9703952B2 (en) * 2014-07-07 2017-07-11 University Of Ontario Institute Of Technology Device and method for providing intent-based access control

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120197847A1 (en) * 2009-10-20 2012-08-02 Zte Corporation Method and System for Monitoring and Tracing Multimedia Resource Transmission
US8584219B1 (en) * 2012-11-07 2013-11-12 Fmr Llc Risk adjusted, multifactor authentication

Also Published As

Publication number Publication date
US20180349616A1 (en) 2018-12-06
US10068094B2 (en) 2018-09-04
US20170200011A1 (en) 2017-07-13

Similar Documents

Publication Publication Date Title
US10614225B2 (en) System and method for tracing data access and detecting abnormality in the same
CN110249314B (en) System and method for cloud-based operating system event and data access monitoring
US11550921B2 (en) Threat response systems and methods
US20180075240A1 (en) Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device
US9887886B2 (en) Forensic software investigation
US10783043B2 (en) Automation and optimization of data recovery after a ransomware attack
US10282702B2 (en) Dynamic employee security risk scoring
US20180219875A1 (en) Grouping alerts into bundles of alerts
WO2018080957A1 (en) Method for the continuous calculation of a cyber security risk index
US9813450B1 (en) Metadata-based verification of artifact quality policy compliance
US20120116984A1 (en) Automated evaluation of compliance data from heterogeneous it systems
US20130073715A1 (en) Methods and apparatus for remediating policy test failures, including correlating changes to remediation processes
US20130073893A1 (en) Methods and apparatus for remediation workflow
US20130073704A1 (en) Methods and apparatus for remediating policy test failures, including promoting changes for compliance review
JP2019028891A (en) Information processing device, information processing method and information processing program
JP7241360B2 (en) SECURITY POLICY AND AUDIT LOG BI-DIRECTIONAL LOOKUP, COMPARING AND TRACKING SYSTEM AND METHOD THEREOF}
US11651313B1 (en) Insider threat detection using access behavior analysis
US9319420B1 (en) Cyber intelligence clearinghouse
US10089463B1 (en) Managing security of source code
KR101040765B1 (en) System for tracing process and file using extended security level
US20240020391A1 (en) Log-based vulnerabilities detection at runtime
US20090222876A1 (en) Positive multi-subsystems security monitoring (pms-sm)
Sapegin et al. Evaluation of in‐memory storage engine for machine learning analysis of security events
WO2023042192A1 (en) A top-down cyber security system and method
CN114490261A (en) Terminal security event linkage processing method, device and equipment

Legal Events

Date Code Title Description
AS Assignment

Owner name: DATIPHY INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LIN, YEEJANG JAMES;REEL/FRAME:046565/0157

Effective date: 20160105

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 4